The General Data Protection Regulation (GDPR) is a European privacy law that took effect on May 25, 2018.
The GDPR is not confined to European firms. The regulation encompasses every company that might potentially handle EU nationals’ data – so essentially every company globally regardless of its whereabouts.
The GDPR grants individuals more authority over their personal data. Specifically, it affords the right to access, rectify, erase, and limit processing of consumer data, and establishes stringent criteria for user consent. If you amass or retain any data that can be tied to an individual, that qualifies as personal data. You can read the complete text of the GDPR for further insights.
Caution:
We recommend consulting with a legal professional as every business is distinct. Some enterprises may necessitate more readiness than others to conform with the GDPR. This article provides a broad overview of GDPR compliance and directs you to the most prevalent prerequisites.
Table of Contents
Steps to prepare for the GDPR
In accordance with the GDPR, store merchants must adhere to the regulation if they are situated in the EU or vend to EU customers.
We gather and process personal data in a compliant manner. However, it is your duty to conform to GDPR requirements when gathering and processing personal data from your EU clients. Under the new regulation, personal data encompasses any data that can be employed to directly or indirectly identify a person. This encompasses: a title, an image, an email address, an IP address, banking particulars, posts on social networking sites, medical details, and even arbitrary codes that are designated to users to compile analytics, carry out A/B tests, and more.
We propose the following:
Obtain explicit consent before gathering any data
You must acquire consent to process your customers’ personal data. Draft a lucid privacy policy elucidating why you collect personal data, detailing what data is retained, and proffering a right to retract consent.
To mandate your customers to consent to your terms of service prior to checkout, enable Require consent to terms and conditions at checkout in your store admin, Settings → Legal, Customers’ consent section. This feature guarantees all orders incorporate a confirmation of consent: the “I agree with Terms and conditions” checkbox on the cart page. Since it is unfeasible to place an order without agreeing to Terms and Conditions, the act of placing an order constitutes confirmation of consent.
Caution:
To learn how to append a privacy policy, terms & conditions and other legal pages to your store, refer to Legal pages in store.
Obtain explicit consent before dispatching promotional emails
You must secure clear consent to dispatch non-order related emails to customers. In your store, you can append a sign-up option above the Checkout button. This way you will capture such consent and subsequently build a roster of customers who consented to receive your promotional emails.
To append the sign-up option for your promotional emails to your store’s checkout:
- In your store admin, navigate to Settings → Legal.
- Scroll down to the Customers’ consent section.
- Activate Request customers’ approval for your marketing emails at checkout.
- (optional) Click Edit to modify the text displayed for the sign-up option and/or to preselect the sign-up option.
Caution:
You can also append the sign-up option to your store’s checkout in Marketing → Newsletters or in Settings → General Settings → Cart & Checkout (the Newsletters section).
Conspicuously indicate in forms what fields are optional or mandatory
Store conspicuously indicates what fields are mandatory and what fields are optional for completion:
Obtain explicit consent for tracking store visitors via cookies
You ought to solicit consent from your store visitors to track their actions in your storefront via cookies. We permit merchants to affix a special banner to gather such consents.
To append the cookie consent banner to your storefront:
- In your store admin, navigate to Settings → Legal.
- Scroll down to the Customers’ consent section.
- Activate the Cookie consent banner.
Caution:
You can also activate the banner in Settings → General → Tracking & Analytics by enabling the GDPR cookie consent banner.
Once activated, the cookie consent banner will appear on the storefront with the option to accept, partially accept, or decline (refresh the page to see it):
Visitors can always revise their cookie decision later.
Learn more about cookie notifications in your store →
Furnish customers with the right to access their data
You must furnish your customers with a copy of their personal data – upon request – in an easily readable and portable format. You can access customers' personal data directly in your store admin.
To obtain personal data of a customer:
- In your store admin, navigate to Settings → Legal.
- Scroll down to the Customers’ personal data section.
- Select Get customer data.
- Input the customer’s email address into the field:
- Click Submit.
Subsequently, you will receive a message to the email address associated with your store account. This message will contain personal data of the customer available for download in .zip format (the link is valid for 10 days).
Caution:
If you require assistance with acquiring and furnishing the data, we can provide you with the necessary data. You should also consider any third-party services you employ that may have access to your customer’ personal data.
Provide customers with the right to erase, modify, or restrict certain data uses
In addition to access requests, we can assist in erasing personal data that we store on your behalf.
To erase personal data of a customer:
- In your store admin, navigate to Settings → Legal.
- Scroll down to the Customers’ personal data section.
- Select Delete customer data.
- Input the customer’s email address into the field:
- Click Submit.
Upon clicking Submit, all personal data associated with this email will be permanently erased in 7 days. Additionally, we will notify the app developers from the app market (if you use apps from there) that the customer has requested the erasure of personal data.
If you need to cancel the scheduled erasure of data, click the Cancel link next to it:
Basic requests (e.g., a customer requests deletion of their order) can also be promptly managed within your store admin.
Data breach notifications
We function as a Data processor while our merchants (you) function as Data controllers. If your store experiences a data breach of any kind, you might be obligated to notify affected customers. Under the GDPR, a notification must be dispatched within 72 hours from the moment you become aware of the breach. Data processors are also mandated to notify users as well as the Data controllers, immediately upon awareness of a data breach.
Additional Data
Note that this guide is only meant to offer general advice and should not be construed as legal counsel. For definitive guidance, please consult with a qualified legal professional.